The dust has settled, the world hasn’t ended, but what next?

GDPR – For some it will have felt like a bit of an uphill battle, but now the dust has settled, the world hasn’t ended, what happens next? Read on for 4 steps that’ll make sure you’re not caught out…

As he dusted off his laptop and prised open the lid, David racked his brain to remember his password. No surprise there, David always struggled to remember, but after two weeks off it felt more like Mastermind than a familiar series of letters, numbers and special characters! Five, six, seven attempts and he was in! He was a bit nervous, sweaty-palmed in fact. That familiar feeling of trepidation he got when returning to work after a long break. What surprises awaited him? Had Jeanne from Accounts remembered to pay his supplier invoice? Had Russell the Marketing Intern emailed the entire database by mistake? But this time it was different, it was more than that… because David was the company’s new Data Protection Officer!

A cursory glance at his inbox revealed that the endless procession of Privacy Statement emails had dried up. There were no emails marked urgent from the GDPR Taskforce that David had headed up before jetting off on his holiday, and even a pat on back from his boss. A job well done. David breathed a sigh of relief, he’d done it. The GDPR deadline had passed, and the world hadn’t ended! Phew! So, we can all go back to our day jobs now, right? Or so David thought…  

It’s safe to say that David won’t have been the only one returning to work a little nervous, after the deadline. It’s also safe to say that he won’t be the only one who’s now thinking, job done. With so much focus on the 25^th May and the relief to get it all done, you could almost forgive him (almost). But what next? The truth is, that the job has only just started. GDPR is ongoing and the UK Data Protection Act is only just around the corner. Compliance needs to be managed, monitored and maintained, which is no mean feat!

It’s important to remember though, that amongst all the scaremongering and big brand faux pas, the regulation has the data subject’s interests at heart and it’s the safety of their data that the overriding principle looks to protect, so it’s well worth the effort. The regulation isn’t designed to restrict business, but instead empower it to better protect customer data. Data Privacy Impact Assessments allow companies to document and assess their risks, the obligation to train staff on a regular basis will reduce the amount of human error leading to data breaches. The need to demonstrate your commitment to Information Security may include increasing the amount of manual penetration testing the follow-on actions will reduce your vulnerabilities, lessening the likelihood of breach through hacking.

You can be sure that despite all these best efforts, there will be eagle-eyed journalists up and down the country with their pens poised (or should that be tablets twitching), ready to report on the first big brand that falls from grace, with gusto. So, what can you do to make sure it’s not your brand name in the media spotlight? That it’s not your reputation being dragged mercilessly through the tabloids?

These 4 steps will go a long way to ensure it’s not you.

1.   Check you’ve got the basics right      

Whenever there’s change to process and procedure it’s always best practice to review whether they have been a success. Have all changes been implemented? Communicated to all the relevant staff members? Do those staff members understand them? Are they being followed? And are you documenting this to demonstrate to the regulator? It sounds obvious, but you’d be surprised how many organisations don’t.

2.   Are you set-up to manage GDPR?     

There are a whole host of activities that need to be performed on a regular basis. Whether that’s process led, such as Data Subject Access Requests, reporting of data breaches, or action led such as testing for vulnerabilities, or tracking network access and behaviour, or training led such as regular basis security awareness training to make staff members aware of the latest threats to your data security. Governance including regular reporting are key here. Do you know what ‘good’ looks like? How will you know whether you are succeeding? Have you set GDPR objectives? And are they SMART? Are you reporting against them, if yes, then who do they get reported to? Can searches for structured and unstructured data be done within 28 days? Do you have the frameworks in place to track all of this and drive continuous improvement? If this all sounds a bit daunting, then that’s because it requires commitment and dedicated resource. It’s a lot of work but ultimately these are essential to remaining compliant… and with the wealth of services out there to help there will be no excuses for the ICO, should they ever come knocking.    

3.   Have you really changed?      

So, you’ve checked your deliverables for day one and things look like they are all working. You’ve even set up regular reporting and have some frameworks in place to make sure there is some Governance, but have you really changed? The most effective way to embed change is by changing business culture itself… it’s also the hardest to achieve! But there are ways that you can address this. Do you really have buy-in at the most senior level? Leading by example goes a long way. Are you going to carry out regular risk assessments? Is the Senior Management team part of your Governance process? Do you have regular (not yearly, but quarterly) training for existing staff and new starters? Do you reward positive behaviour relating to Information Security? These are just a few ways that you can start to change your businesses DNA and your overall security posture. 

4.   If you have really changed (or are starting to), well done! Now how about a business standard?

You’ve seen the light (and your business has too), and together you are embracing GDPR and ready to reap the rewards that come with improved data security and Governance. Psttt (don’t tell everyone) … you now have the chance to turn this into a competitive advantage.  There are plenty of business standards out there that look great on a company’s CV (ISO 27001 or BS 10012, for example). And you can bet if you’re doing ISO 20071 you are doing GDPR, and a lot more. You can choose to align to these standards and shout about it to your clients, suppliers etc… but the real value comes when you are fully accredited. Yes, there’s a cost attached to this, but it is sure to set you aside from some of your competitors and could be the deciding factor that clinches your next big deal.